Web Socket in APACHE Reverse Proxy

Question

I run two servers behind and AEBS base station. Server1 runs 10.12.6 and Server 5.3.1 and does a REVERSE PROXY with webapps, like described by precursor.ca tutorial . This allows me to have only one external IP address where server1.mydomain and server2.mydomain get the distributed internally. This works ok.. but on server2 I run Filemaker Webdirect, that uses web sockets. So I get in the browser a wss:// error. I the web app I wrote;

from http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass

RewriteEngine On

RewriteCond %{HTTPS} =off
RewriteRule . - [E=protocol:http,E=port:80]
RewriteCond %{HTTPS} =on
RewriteRule . - [E=protocol:https,E=port:443]

SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPassReverse / http://1.2.3.4:443/
ProxyPass / http://1.2.3.4:443/
ServerName filemaker.precursor.ca

Obviously putting in my own IP address of server2 and its name..

However the web socket wss://server2.mydomain does not work.. and web direct fails.

I can login, but as soon as I open a wss connection it does not work anymore. .It is a apache mod_proxy error..

in the apache error log I read [Sun Apr 19 21:58:04.846046 2020] [proxy_http:error] [pid 598] (70008)Partial results are valid but processing is incomplete: [client 189.62.112.162:49213] AH01110: error reading response

in the browser I read

WebSocket connection to 'wss://fmserver.embatek.com.br/fmi/webd/PUSH?v-uiId=1&v-pushId=341172cf-5d45-454d-972e-3029de5807fa&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=websocket&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true' failed: Unexpected response code: 500

Any hints on where to fiddle. Yours Pierre

Answer 1

I am using apache, and the secure connection stops at the proxy, so I guess you could modify the virtual host config I am using (below) by changing ws to wss, 80 to 443 etc if your FileMaker server is using a secure connection. 10.1.2.3 is the internal address of the FileMaker server. There might be some redundant stuff in here but it works

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName my.external.server.name

  RewriteEngine on
  RewriteCond ${HTTP:Upgrade} websocket [NC]
  RewriteCond ${HTTP:Connection} upgrade [NC]
  RewriteRule /(.*) "ws://10.1.2.3:80/$1" [P,L]

  # <Location />
    ProxyPreserveHost On

    ProxyPass "/fmi/webd/PUSH" "ws://10.1.2.3:80/fmi/webd/PUSH"
    ProxyPassReverse "/fmi/webd/PUSH" "ws://10.1.2.3:80/fmi/webd/PUSH"

    ProxyPass / http://10.1.2.3:80/
    ProxyPassReverse / http://10.1.2.3:80/

    # Order allow,deny
    # Allow from all
  # </Location>
SSLCertificateFile /etc/letsencrypt/live/my.external.server.name/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.external.server.name/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/my.external.server.name/chain.pem
</VirtualHost>
</IfModule>

Answer 2

It's been a long time, so it may have already been resolved.

I just hit the same problem. I used nginx in my environment, but it was solved by passing the following values to the server.

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;

The final code in nginx is as follows

upstream filemakerserver-webdirect-upstream {
  server xxxxxx.xxx:443;
}

server {
  listen 80;
  server_name yyyyyy.yyy;

  if ($host = yyyyyy.yyy) {
    return 301 https://$host$request_uri;
  }

  return 404;
}

server {
  listen 443 http2 ssl;
  server_name yyyyyy.yyy;

  location / {
    try_files $uri @filemakerserver-webdirect-upstream;
  }

  location @filemakerserver-webdirect-upstream {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_cache_bypass $http_upgrade;
    proxy_pass https://branch-office;
  }

  ssl_certificate /etc/letsencrypt/live/yyyyyy.yyy/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/yyyyyy.yyy/privkey.pem;
}

The following is an article I wrote about this in Japanese.

https://qiita.com/Hi_Noguchi/items/82bc17913b646bd6583f

I hope this helps in the apache environment.